hey guys! Sorry if this is off topic, but hoping someone can point me in the right direction 🙏 I want to create API Keys to allow customers to use our API. I’ve set that up and it was super easy 👍 but what is best practice for how to identify the customer by their API key?

If you use a JWT you can embed an identifier as a claim, otherwise you’ll need to store a mapping between the api key and customer mapping in your DB and do a lookup. Usually all this can happen inside a custom or JWT authorizor

thanks for the input @Omi Chowdhury! so for my b2c customers I use a cognito pool and custom authorizer, and in my DB each user has a field for their Cognito ID. In this scenario the Cognito pool is acting as a mapping of tokens -> cognito users and in my DB I have a mapping of user -> cognito user should I do something similar for my b2b partners? like could cognito serve as a mapping of api keys to partners?

sounds like that could do the trick to me 👍 I typically don’t include things like that into JWTs. I would roll an api key with my api-gateway api and let AWS manage all that for me… bucket/throttles/etc… can also lean on that to calculate usage based billing.

Just to chime in, here’s a recent related discussion on API Keys that might help https://serverless-stack.slack.com/archives/C01JG3B20RY/p1650550660481039

thanks for all the input guys! so I’m considering 1 of 2 options now 1. Use API Gateway API Keys a. I’ll manually create API Keys for customers b. In my DB I’ll have a table for customers, and a second table mapping the customers to any existing API Keys for them c. When I create API Keys I’ll add them to the mapping table d. API Gateway will ensure incoming requests have a valid key e. Then I’ll look up the customer by API Key in the DB 2. AWS pointed me to Cognito OAuth Credentials Grant a. In this flow, I create a new App Client for each customer in my identity pool b. Customers will use the Cognito API to get a token using their Client ID and Secret c. Incoming requests will use a token and custom authorizer, providing me with the Client ID d. Then I’ll look up the customer in my DB by Client ID (no need for a mapping table in this case) does that sound right? I’m leaning towards option 1

both are great options. I’ve used both separately and in combination. :d